Electronic signature method

ABSTRACT

A method in which a telephony operator acts as a recording authority and certification authority for secured transactions between a subscriber and a provider. Communications between the subscriber ( 101 ) and the operator ( 113 ) are signed with a symmetrical algorithm ( 108   c,    117 C). The communications between the operator and the provider are countersigned according to PKI technologies ( 117 E,  124 A), and an asymmetrical algorithm. Two configurations are possible: either the operator signs the contents of each of the subscriber/provider transactions with his own dual key, after validation, or the operator implements a secure and repudiable signature transfer, in his network, to a remote terminal (using a secret key technology This reduces the resources needed for a subscriber&#39;s terminal. It also gives the operator greater visibility of the operations occurring in his network and ensures the validity of the transactions.

An object of the present invention is an electronic signature method.The present invention is part of the field of the electronic signaturesas understood in European directives and French decrees. The field ofthe invention is also that of transactions made between a subscriber toa telecommunications network and a service provider using saidtelecommunications network to propose services.

It is an aim of the invention to set up a simplified electronicsignature system in a closed network such as, for example, a mobiletelephony cell network or a pay television network. It is another aim ofthe invention to enable the setting up of a chain of proofs between asignatory, for example a subscriber or an operator, and a provider, forexample a provider of services or contents, or a tradesman, so as to beable to secure a transaction made between the signatory and theprovider. It is another aim of the invention to simplify the meansimplemented at a terminal used by a subscriber to make a transaction. Itis another aim of the invention to make the certification mechanisms astransparent as possible for its users, namely the subscriber and theproviders.

In the field of transactions, the most commonly known transactions arethose that correspond to purchases and sales. However, it is possible toconsider a transaction as corresponding to the fact of transmittinginformation to a partner, where it is the responsibility of this partnerto ascertain that the information transmitted to him is not vitiated bydeception. It is also possible to envisage the use of the inventionwithin the framework of access control, the transaction resulting inthis case from an access authorization request. For simplicity's sake,the invention shall be described in the context of a purchase operation,because such an operation is truly representative of all the problemsthat may arise during such a transaction. However, all transactions areconcerned by the invention.

In the field of purchases, especially purchases on the Internet, apurchaser, for example a user of a mobile telephone, gets connected to aservice provider, especially during a WAP (Wireless ApplicationProtocol) or voice session. During this session, the user agrees on atransaction with a provider. The provider is then a provider of goods orservices who places his goods or his services at the disposal of theuser through a transaction (the consumption of the item may beimmediate, for example in the case of a set of musical contents or itmay be deferred in the case of an online order). This transaction ismade by an exchange of messages between the user and the provider. Thesetransaction messages are composed on the user side and on the providerside. These are electronic messages composed either by the mobiletelephone under the user's control, or by a server of the provider, thisserver being then connected to the Internet or accessing the mobileoperator's network. If the transaction consists of a purchase, themessages exchanged comprise chiefly the following pieces of information:an identifier of the purchaser, an identifier of the product purchased,a quantity of products purchased, a unit price for the product, as wellas a timestamp. In the case of a sale, the transaction message may besigned by the provider before it is sent to the user. The enciphering ofthe transactions is not a security obligation that may be implemented toreinforce its level. The user then only has to verify the signature ofthe message, if it is present, and then if he has trust in the patternof signature used by the provider and if the descriptive content of thetransaction corresponds to what he is expecting, the user may sign themessage received to send it for approval to the provider. When theprovider receives a new message, he analyses the content of the messageand consistency and validates signature placed by the user on thismessage. If the signature is valid, the provider can then fulfill hispart of the transaction.

In the prior art, the securing of a transaction between a subscriber anda provider is achieved by the implementation of the technology known asthe PKI (Public Key Infrastructure) technology. To enable the use ofthis technology, and hence the making of a transaction with a provider,the subscriber must have a certificate, the best-known of thecertificates being the X509 certificates. Such a certificate isdelivered by a certification authority on the basis of informationcollected by a recording authority. The role of the recording authorityis to verify the data of the certificate applications with respect tothe security procedures drawn up by the certification authority. Toobtain his certificate, the subscriber must therefore provide a certainnumber of pieces of information to the recording authority which willmake sure of the validity of this information before requesting thecertification authority to generate a certificate. The certificationauthority then delivers a certificate, for example X509. An X509certificate is a file, accessible to all, comprising the identity of theholder of the certificate, a public key, a serial number, a period ofvalidity, the localizing of a list of associated revocation operationsand a certain number of other items of information unrelated to theinvention.

The PKI technologies are based on enciphering algorithms known asasymmetrical algorithms. Such algorithms use an enciphering key and adeciphering key that are different. The term “dual key” is also used. Afile enciphered with one of the keys of the dual key can be decipheredonly by using the other key of the dual key. One of the keys of the dualkey is said to be private, and known only to the holder of thecertificate, while the other key of the dual key is said to the publicand is known to all. In general, it is the certification authority thatproduces the dual keys. The certification authority also providesinformation on the state of corruption of the private key. Thecertification authority ensures that the private key of the dual key isknown only to its holder. The certification authority repudiates acertificate when it is convinced that the private key is no longerprivate. The certificate then becomes useless and is repudiated.

Thus in the prior art, when the subscriber is in possession of thetransaction message, and of an X509 certificate, he can sign thetransaction. The signing of the transaction is done firstly by theproduction of a fingerprint of the message representing the transaction(this is called a transaction message or quite simply a transaction).The algorithm generally applied to this transaction message is analgorithm of the MD5 (Message Digest 5) or SHA (Secure Hash Algorithm)type. The fingerprint of the message is then enciphered using theprivate key of the holder of the X509 certificate. The result is calledthe electronic signature (or signature message) of the transactionmessage. Since the private key is known only to the holder of thecertificate, anyone who receives the signature and succeeds indeciphering it by means of the public key of the certificate is assuredthat the signature has been truly produced by the holder of thecertificate.

Furthermore, the MD5 or SHA type algorithms are irreversible, i.e. it isimpossible to reconstitute the original message from the hashed message.To the extent that the person receiving the message and the signatureknows the algorithm used for the hashing, he or she is capable ofrecomputing the fingerprint and therefore of comparing it with theresult of the deciphering of the signature. It may be noted that an X509certificate provides information also on the algorithm used to producethe signature. If there is concordance, then the message has beentransmitted accurately and by an identified person. The provider, havingreceived the transaction message and the signature that accompanies it,is then assured of the validity of the transaction.

The prior art solution therefore truly fulfils the imperatives ofconfidentiality and non-repudiation related to the proper running of thetransaction. However, this solution has many drawbacks.

The first drawback is that the subscriber must obtain a certificate fromthe certification authority. He must therefore engage in administrativetype procedures to obtain this certificate. The procedures are nothighly complex. However, at the present time, for the common man, thenotion of a certificate remains highly mysterious and does not encouragehim to take the necessary steps to obtain a certificate when he does notsee it as an absolutely necessity.

A second drawback is that a certificate is linked to a dual key,implemented by using an algorithm known as the RSA. The robustness ofthe algorithm depends, inter alia, on the length of the keys of the dualkey.

The drawback of the prior art then is that the RSA is based onfactorisations of numbers. Its implementation therefore calls for majorcomputations, and even the furnishing of specialized means, for examplea wired component, to obtain performance compatible with real-time use.The term “real-time use” is understood to mean a waiting time compatiblewith a man/machine interface (2 to 3 seconds). The integration of theRSA algorithm, for example into a mobile telephone, thereforeconsiderably increases the cost of the apparatus.

A third drawback of the prior art is related to the second one: thetelecommunications operator who places means at the disposal of hissubscribers specific to the implementation of the RSA algorithm does notnecessarily get any return on his investment. Indeed, every transactioncan be made without any specific intervention by the telecommunicationsoperator.

The invention resolves these problems by placing the telecommunicationsoperator at the center of the transactions made on histelecommunications network. Thus, the operator can combine the roles oftelecommunications operator, recording authority, certificationauthority and also, to a smaller extent, signatory of transactionmessages. The fundamental point however is that he gives the user andthe provider an efficient guarantee of the validity of the transaction.The extent is smaller because the only thing left to the operator forthe signatures is the implementation of the PKI to validate thesignature of a subscriber in countersigning it.

In the invention, a subscriber wishing to make a transaction produces amessage corresponding to this transaction. When the transaction messageis constituted, it is signed by means of signature technologies known assymmetrical technologies. Such technologies are based on the use ofsecret keys, which is a use consistent with closed networks such asmobile telephony networks, or pay television networks, since, bydefinition, all the actors are known without exception. There are indeedknown ways of conveying a secret in such closed networks (by makingavailable chip cards, SIM cards in the context of a GSM/GPRS network,for example). Furthermore, symmetrical signature technologies consumefar less in terms of computation resources. In symmetrical signaturetechnologies, it is possible to use known deciphering algorithms such asthe DES (Data Encryption Standard), triple DES or again the AES(Advanced Encryption Standard). The subscriber uses a secret key, knownto himself and to the operator, to produce a signature of a transactionmessage composed by the subscriber. This message and it signature thensent to the operator who verifies the signature, and then (using RSAtechnology for example) countersigns the unit forming the transactionmessage and the signature in using asymmetrical signature technologiesbefore sending the message from the user to the provider. This providermay, for example, be localized on the Internet, and the operator makes acountersignature using the model commonly implemented on the Internet:the PKI technology based on the use of X509 certificates.

In the invention, the operator acts as certification authority. Thismeans that it is the operator who produces the certificates used by hissubscribers to make transactions. Thus, for example, the operator maydecide to associate the same dual key with several subscribers, thecertificate being then differentiated by the other elements thatconstitute it, such as for example of the identity of the holder of thecertificate, its serial number, its date of creation, or its date ofexpiry.

When he receives the transaction message and its signature, the operatorformally knows the sender of the message. He is then in a position toretrieve the secret key associated with this subscriber. He uses thissecret key to verify the signature of the transaction message. If hisanalysis of the signature validates it as coming from the subscriber,then the operator is in a position to countersign the entire transactionof the subscriber (namely the transaction message and his signature insymmetrical technology) with his own operator dual key before sendingthe new message to the provider. The subscriber, for his part, is unableto analyze the signature made by the subscriber, but the operator forhis part, in countersigning the unit, certifies the validity of thetransaction. The provider may therefore accept the signature. Theproblem of trust in the signature of an unknown subscriber istransformed into a problem of trust in a known operator guaranteeing thevalidity of the transaction.

Thus, the imperatives of non-repudiation, low computation load for thesubscriber's terminal, and visibility by the operator are achieved,these being the goals sought by the invention.

An object of the invention therefore is an electronic signature method,characterized by the fact that it comprises the following steps:

-   -   information is displayed (201) on a terminal of the user, this        information pertaining to the nature of a transaction T between        the user and a provider,    -   a signature of the transaction T (203) is produced on the        terminal to authenticate the transaction T and the author of the        transaction T,    -   on the terminal, there is produced a first message comprising        the information relative to the nature of the transaction T and        its signature,    -   the first message is sent (204), from the terminal to the server        of a telecommunications operator,    -   the first message is received (205) on the server of the        telecommunications operator,    -   the user of the terminal is identified on the server,    -   the validity of the signature is verified (206), on the server,    -   a second transaction, comprising the transaction T, the        signature of the user of the terminal and information on the        identity of the user of the terminal, is produced (207) on the        server,    -   a signature corresponding to the second transaction is produced        (209), this signature being called the operator's        countersignature,    -   a second message, comprising the second transaction and its        countersignature by the operator, is sent (210), from the server        to the provider who is party to the transaction T.

It is understood that this situation is situated in the specific casewhere the user signs a transaction and sends it to the provider. Thecase where the provider starts by signing a transaction beforesubmitting it to the user for his signature can also be deduced fromthese steps.

The invention will be understood more clearly from the followingdescription and the accompanying figures. These figures are given purelyby way of an indication and in no way restrict the scope of theinvention. Of these figures

FIG. 1 illustrates means necessary for the implementation of the methodaccording to the invention;

FIG. 2 illustrates steps of the method according to the invention;

FIG. 3 illustrates a transaction message composed by a subscriber;

FIG. 4 illustrates steps implemented for the production of a signed andenciphered message representing the transaction.

FIG. 1 shows a telephone 101 connected to a mobile telephony network102. In the present example, the terminal which can be used to receiveor produce information on the nature of a transaction is therefore amobile telephone. In practice, it may be any type of apparatus used tolink up to a telecommunications network. Similarly, the network 102 isconsidered to be a GSM network but it could be any type oftelecommunications network among existing networks such as, for example,the DCS, PCS, GPRS networks or the future network such as the UMTS.

The telephone 101 therefore sets up an RF link 103 with the network 102.This link is set up by means of an antenna 104 of the telephone 101. Theantenna 104 is connected to GSM circuits 105. The circuits 105 have arole of modulation and demodulation of signals. Firstly, they demodulatethe signals received from the network 102 via the antenna 104 to producedigital signals. Secondly, the circuits 105 produce analog signals,according to the GSM standard, from digital signals. The circuits 105are therefore connected to a bus 106.

The telephone 101 also has a microprocessor 107 connected to the bus106. The microprocessor 107 executes instruction codes recorded in aprogram memory 108. The memory 108 has several zones. A zone 108Acomprises instruction codes on the implementation of the communicationsprotocol, for example the WAP or HTTP protocols. A zone 108B comprisesinstruction codes on the implementation of the MD5 or SHA-1 typefingerprint computation algorithm.

A zone 108 c comprises the instruction codes on the implementation of anenciphering algorithm, for example the DES, 3DES, EAS algorithms.Finally, a zone 108 d comprises instruction codes on the sending andreception of SMS (Short Message System) messages. The memory 108 maycomprise other zones comprising instruction codes on the generalfunctioning of the telephone 101, or of the working zones. These zoneshave not been shown so as not to over-burden the drawing.

In the present example, we have chosen the hashing algorithm MD5 butthere are other algorithms such as, for example, the algorithm SHA-1.The particular feature of these algorithms is that, from an originalmessage, they produce a fingerprint which characterizes the originalmessage. The other characteristic of these algorithms is that it isimpossible to reconstitute the original message from the digital messageresulting from the hashing operation.

For the zone 108 c, and in the present example, the algorithm DES hasbeen chosen but there are others such as, for example, the triple DESalgorithm which will be used by preference, or again the AES algorithm.

The telephone 101 also has a memory 109 to record an identifier of theuser of the telephone 101, for example its MSISDN number, i.e. itstelephone number. The telephone 101 also has a memory 110 enabling therecording of a subscriber key, which is actually a signature key properto the user of the terminal. It is this key that enables the user, forexample, to make the message signature. In practice, the memories 109and 110 can very well be included in a SIM card. The telephone 101 alsohas a keyboard 111 and a screen 112 by which the user of the telephone101 can interact with it. The elements 109 to 112 are connected to thebus 106.

These different elements described for the telephone 101 are implementedby the method according to the invention.

FIG. 1 shows a server 113 of an operator of a telecommunicationsnetwork, for example the operator managing the network 102. The server113 has interface circuits 114 for connection between the server 113 andthe network 102. The circuits 114 are connected to a bus 115. The server113 has a microprocessor 116 itself also connected to the bus 115. Themicroprocessor 116 executes instruction codes recorded in a memory 117.The memory 117 has several zones.

A first zone 117A has instruction codes by which the server 113 can actas a gateway for the WAP protocol for example. It is the instructioncodes of the zone 117A that enable a user of the terminal 101 to link upto Internet sites through the WAP protocol i.e. link up to sitesrecorded on a server accessible through the Internet. A zone 117B hasinstruction codes corresponding to the implementation of the fingerprintcomputing algorithm.

A zone 117C has instruction codes implementing the DES algorithm. A zone117D has instruction codes to implement the reception and sending ofshort messages. A zone 117E has instruction codes to implement PKItechnologies. It may be recalled that these technologies compriseespecially the implementation of an RSA type asymmetrical encipheringalgorithm.

The memory 117 also has a zone 117F comprising instruction codes bywhich the server 113 can behave like a certification servercorresponding to the role of certification authority which, in apreferred embodiment, is incumbent on the operator of the network 102 inthe invention. The instruction codes of the zone 117F enable the server113 to respond to requests coming from providers acting on the Internet,these providers seeking to determine the validity of an X509certificate.

The server 113 has a memory 118 for the storage of information on thesubscribers with the operator to whom the server 113 belongs. The memory118 is structured as a database. In practice, the memory 118 has beenrepresented as a table comprising as many columns as there aresubscribers to the operator's network and as many rows as there arepieces of information to be recorded for each subscriber. FIG. 1 showssome of the rows of the table 118. The table 118 has a row 118A enablingthe recording of an identifier of the subscriber, for example his MSISDNnumber. A row 118B enables the recording of a secret enciphering key(stored in enciphered or unenciphered form) used for the verificationsof signatures sent out by the terminal 101. A row 118C enables therecording of a personal code of the terminal 101 enabling, for example,the validation of the procedure of an electronic signature made by theuser of the terminal 101. A row 118D enables the recording of theinformation corresponding to a certificate, for example according to theX509 standard. In this case, the row 118D comprises, for each subscriberholding a certificate, at least the public part of the dual key. Thememory 118 is connected to the bus 115.

The server 113 also has an interface 119 for connection with theInternet. The interface 119 is connected to the bus 115.

FIG. 1 shows a set of functions, especially functions relating to theWAP gateway, PKI technology, certification authority and recording ofinformation on subscribers, concentrated on a same server 113. Inpractice, all these functions can effectively be combined in one and thesame server, or they can be distributed on several servers communicatingwith each other.

The server 113 is therefore connected to the network 120 (the Internetin the present description). Through this network, it can communicatewith a server 121 of a provider. A provider is an Internet actor thatproposes its services on the Internet, or an actor of another network (acommunications means) by which the terminal 101 can receive/sendinformation on a transaction. The transaction may relate to a salesservice or to a simple service such as translation for example. In mostcases, the server 121 is that of a host, i.e. a person who proposeshosting technologies to providers wishing to act on the Internet. Thus,the server 121 comprises interface circuits 122 providing connectionwith the Internet 120, a microprocessor 123 capable of executinginstruction codes recorded in a memory 124. The memory 124 is dividedinto several zones, one of these zones 124A comprising instruction codesused to implement algorithms related to the PKI technologies. A zone124B comprises instruction codes enabling the server 121 to behave likea server known as a WEB server, i.e. these are instruction codes used toimplement the HTTP (Hypertext transfer protocol). A zone 124C hasinstruction codes used to implement the WAP protocol. Thus, a userprovided with a terminal such as the telephone 101 can link up to theserver 121 which recognizes the WAP protocol. The server 121 also has amemory 125 in which there are recorded different sites, especially thatof the provider. The sites are described in the form of files, forexample in the WML (Wireless Mark-up Language) format. The elements 122to 125 are connected via a bus 126.

For the rest of the description, when an action is attributed to anapparatus, whether it is the terminal 101, the server 113 or the server121, this action is actually performed by the microprocessor of theapparatus controlled by the instruction codes recorded in the programmemory of the apparatus. It may also be recalled that a transaction isrelated to a transaction message, the two terms being used withoutdistinction. The same is the case for signatures and signature messages.Indeed, in practice, a transaction and a signature are represented by abit sequence, this sequence being then a binary message, i.e. a messageformed by bits.

FIG. 2 shows a preliminary step 201 for the display of the transaction.In the step 201, a subscriber to the network 102 uses the terminal 101to define a transaction. This means that the user of the terminal 101,subscribing to the network 102, uses the keyboard 111 and the screen 112to set up a connection, for example through the WAP protocol, to aserver of a provider. This server then sends information via the server115 which then behaves like a WAP gateway. The information enables thetelephone 101 to display the different services proposed by the provideron the screen 12 of the telephone 101. The user then chooses one ofthese services, thus obtaining the identifier of this service. Then theuser uses the keyboard 111 to validate the transaction. At the time ofthe validation of the transaction, the user of the telephone 101 (hencethe telephone 101) possesses the reference 301 of the article tointroduce variability at the level of the computed signature (a serialnumber managed by the provider, a timestamp, a random value—the list isnot exhaustive), the unit price 302 of the article, the quantity 303 ofthe article that he wishes to acquire, its network identifier 304 on thenetwork 102. This is information on the transaction. Optionally, theuser of the terminal 101 also possesses a URL (Universal ResourceLocater) 305 by which the recipient of the transaction can obtain dataenabling him to verify the validity of the transaction, and especiallythe validity of the countersignature 310. The totality of theinformation referred to here above exists in a memory of the telephone101 in electronic form. This is a file. This file is the set of piecesof information on the nature of a transaction. It is also called atransaction message 306 or transaction T. The invention then passes to astep 202 for making a digest of the transaction T, or producing afingerprint of the transaction T.

In practice, the transaction message 306 may be displayed in a good manyways. This message may be directly entered by the user on this telephonevia the keyboard, obtained via a short message, or any other possibilityused to enter/obtain information on the transaction.

In practice, the validation of the transaction is effective only afterthe user has entered a validation code. This is, for example, afour-figure code whose keying in makes it possible to pass to thefollowing steps. The keying of this code is equivalent to the keying inof the secret code of a visa card when it is used. It ensures thenon-repudiation of the payment. Indeed, the person who produced thesignature then knew the validation code used to release the steps ofproduction of this signature.

In the step 202 the telephone 101 applies the MD5 algorithm recorded inthe zone 108 b to the transaction message 306 comprising the informationpertaining to the nature of the transaction. Thus, a digital digest ofthe transaction is obtained. The invention passes to a step 203 ofproduction of the signature.

FIG. 4 too illustrates the step 203. FIG. 4 shows that a signature isproduced by using an enciphering algorithm whose inputs are the digitaldigest of the transaction as well as a secret key of the subscriber. Thesubscriber's secret key is recorded in the memory 110 of the telephone101. The result of the signature algorithm is a signature message 307,or a signature 307. The enciphering algorithm used for the production ofthe signature 307 is, for example, the algorithm of the zone 108 c. Ingeneral, a signature is applied by applying an enciphering algorithm anda secret key to a fingerprint of the message to be signed.

Once the message 306 and its signature 307 have been obtained, theinvention passes to a step 204 for sending this message 306 and itssignature 307. They are sent towards the server 113, for example througha short message. However, for the transmission, it is possible to useany transmission protocol, including protocols that provided for enenciphering of the data transmitted. The invention passes to a step 205for the reception of both the message and its signature by the server113. The unit formed by the message 306 and its signature 307 is a firstmessage 300 sent by the terminal 101.

In the step 205, the server 113 receives a short message. The header ofthis short message is used to determine who has sent this message. Theserver 113 then possesses an identifier of the sender. This is generallythe MSISDN number of the sender. Through this identifier, the server 113is capable of retrieving information on the sender from the table 118.In particular, in the row 118B, it retrieves the secret signature key(enciphered or not enciphered). Through this information, the server 113is capable of verifying the validity of the signature 307. Thisverification consists, inter alia, of an inversion of the encipheringthat was made on the message summarized by the hashing algorithm at thestep 202. This is the signature verification step 206. In the step 206,the deciphering is done with the same key as the one used for theproduction of the signature because it involves algorithms known assymmetrical algorithms, hence algorithms that work according to theprinciple of a secret key. In this case, the key is known only to thesenders and the receivers.

In the step 206, once the enciphering has been inversed on thesignature, the server 113 reproduces the process that had led toobtaining the digest of the transaction, i.e. the server 113 applies thefingerprint computing algorithm (here MD5) to the information on thetransaction, hence to the message 306. It then compares the result ofthe inversion of the enciphering of the signature with its own digestthat it has produced. If there is identity, it means that the messagehas not been altered and that it has been truly transmitted by theperson who claims to have sent it. If there is no identity, thetransaction goes no further. If there is identity, the invention passesto a step 207 of composing the second message for the provider.

In practice, the operations of verification of a signature are performedby an independent electronic circuit approved by a certifyingorganization. This approval provides the guarantee that it is impossibleto produce an enciphered message (i.e. to generate or regenerate asignature in the present case). Thus, by construction, the independentcircuit, also known as a cryptographic board, prohibits the generationor new generation of a signature. This independent circuit inputs thetransaction message, the corresponding signature and the secret key ofthe subscriber who has sent the message and the signature. Theindependent circuit outputs a message signifying “accurate signature” or“inaccurate signature” as the case may be. This independent circuit isthe only one entitled to handle the enciphering algorithms and theassociated keys. The independent circuit is incapable of producing asignature. This independent circuit is, for example, a microcircuitconnected to the server 113, and communicating with the microprocessor116. The independent circuit is, for example, inserted into the server113 in the form of a microcircuit board. The server 113 then has amicrocircuit board reader 127 connected to the bus 115. The storage ofthe user signature keys, enciphered by a key known only to thismicrocircuit board (or secured enciphering board) ensures that only thismicrocircuit board is capable of revealing the value of the user key inunenciphered form.

In the step 207, the server 113 produces a digital representationcomprising the following information: a reference 301 of the article, aunit price 302, a quantity 303 of articles, the network identity 304 ofthe user of the terminal 101, a URL 305 for access to the X509certificate of the user of the terminal 101, a transaction identifier308 to introduce variability in the computed signature (a serial numbermanaged by the server, a timestamp, a random value: the list is notexhaustive), and the signature 307 as produced by the terminal 101 atthe step 203. Let this digital representation be called a message 309.At the step 113, the server 113 then produces a countersignature 310 forthe message 309. With the algorithm of the memory 117B (i.e. thealgorithm MD5), the server 113 then computes a fingerprint of theunenciphered message 309. The server 113 then makes a search, in thememory 118, for the private key of the X509 circuit corresponding to theoperator or to the user of the telephone 101, depending on the variants.The server 113 uses this private key for the enciphering, at the step209, of the fingerprint of the message 309. Thus, a countersignature 310is obtained. The server 113 then assembles the message 309 and thecountersignature 310 of this message 309. A digitalrepresentation/message 311 of the information is obtained in a step 210.

It may be recalled that an X509 certificate comprises the identity ofits holder. A link to such a certificate may therefore be considered tobe a piece of information on the identity of the user who is the holderof this certificate.

The identifier 308 is, for example, a time index (known as a timestampin the literature) enabling the transaction to be indexed from thisdate.

It may be recalled that the enciphering operations, implementing publickeys and private keys, are what are called asymmetrical encipheringoperations use, for example, the RSA enciphering algorithm.

In practice, the countersignature 310 may be produced by the sameindependent circuit as the one used for the verification of thesignature at the step 206. In this case, said independent circuit isfurthermore provided with a private key corresponding to the subscriberor to the operator depending on the variants, and the identifier 308.Thus, for the production of the countersignature, the same guarantee ofconfidentiality is obtained as for the verification of the signature. Itis thus ensured that a countersignature is produced only if a validsignature is received.

The invention passes to the step 210 for sending the message 311 to theprovider, i.e. towards communications and processing means of theprovider, for example the server 121. Such means are known. Thistransmission is made, for example, through an e-mail. It is the terminal101 that gives the server 113 the provider's electronic address. Theterminal 101 has obtained this address, for example during acommunication with the provider to edit the transaction, or receive amessage from the provider. If not, the subscriber must key in anidentifier to identify the provider. This identifier then becomes anelement of the transaction message 306. In practice, the message 311 canbe sent by any protocol whatsoever that is supported by the operator ofthe network 102 and the provider.

In one variant, an X509 certificate is sent at the same time as themessage 311. This averts the need for the recipient of the message 311to search for said certificate. It may be recalled that an X509certificate comprises a piece of information used to access a list ofrepudiated certificates, i.e. an X509 certificate comprises means toverify its validity.

The invention passes to the step 211 for the reception of the message bythe provider. In this step, the provider obtains information on a personwho wishes to purchase a certain product from him in a certain quantityand at a certain price. Furthermore, the server 121 then possesses anaddress 305 enabling it to obtain the X509 certificate from the personwishing to make this purchase. This X509 certificate comprisesespecially the algorithm that was used to produce the signature, as wellas the public key of the person wishing to make the transaction. Theprovider is therefore capable of verifying the validity of thetransaction.

There are at least three variants for the operator to countersign thetransactions made by its subscribers. A first variant entails thehosting, at the server 113, of all the dual keys and certificates of thesubscribers. The invention then implements a secured and non-repudiabletransfer of electronic signature (in PKI technology) to a remoteterminal. A second variant consists in producing all the dual keys andassociated certificates of the subscribers at the level of the operatorand hosting them at the server 113 as described in the first variant. Athird variant consists in producing a single dual key (at the operator'slevel) and generating certificates that are different and unique intheir contents for each of the subscribers (for example based on theirserial numbers) and housing the totality as described for the first andsecond variants.

In the step 209, the server 121 applies a deciphering to thecountersignature 310 produced by the server 113. This decipheringproduces a message resulting from a previous hashing performed by theserver 113. The knowledge of the hashing algorithm enables the server121 to recompute this hashing from the message 309, and then comparethis result production with the result of the deciphering. If there isidentity, it means that the person who has made the transaction is trulythe person claiming to have done so. It also means that the contents ofthe transaction have not been altered during the transmission. Theprovider can then fulfill his side of the transaction in fullconfidence.

Thus a transaction is made by the sending of a first message from theuser to the operator, this first message comprising the transaction Tand its signature, then by the sending of a second message from theoperator to the provider, comprising a second transaction and itscountersignature. The second transaction then comprises the transactionT, its signature and data added by the operator such as a timestamp.

The invention thus presents many points of interest. Indeed, theproduction of signatures exchanged between the terminal 101 and theserver 113 is done with symmetrical algorithms. These algorithms arehighly robust and require little computation power in theirimplementation. This makes it possible to provide a reliablecommunications channel between the terminal 101 and the server 113 atlow cost. Furthermore, inasmuch as the operator managing the server 113has numerous means at his disposal to identify his subscribers, i.e. thepersons sending messages on the network that he manages, the managementof the secret keys is greatly simplified. The operator will always be ina position to know who has sent the message, independently of the valueof the secret key used. This thus reduces the number of secret keys tobe managed. It also reduces the computation power needed to implementsignature production at the terminal 101. This has the effect ofshortening the user's waiting time, and also of extending the lifetimeof the battery of the terminal 101.

In the invention, it is the operator, managing the server 113, that actsas certification authority, i.e. when a provider receives a transaction,he interrogates the server 113, or another server of the operator toobtain the X509 certificate having performed the transaction, theoperator acting as guarantor for his subscribers and the providercountersigning the subscriber/provider transaction with his own dualkey. It will be noted however, that the computation power needed for theimplementation of the PKI technologies is transferred to the operator'sserver 113. Such a server is generally more powerful than a terminal101. This is therefore not inconvenient but rather advantageous.Similarly, such a server is not battery-operated.

The invention furthermore enables the operator to propose additionalservices, in the context of variants, to his subscribers, for examplethe management of an X509 certificate. The subscriber no longer has toconcern himself with the performance of the steps needed to obtain suchcertificates since most of the time the operator possesses all theinformation needed to obtain and produce such a certificate when thesubscriber makes a subscription contract with the operator. It can beseen here that the operator truly fulfils all the conditions for actingas recording authority.

The invention can also be implemented if the operator is not acertification authority. In this case, it is enough for the operator touse a certificate which is his to produce the countersignature 310. Inthis case, it is effectively the operator that acts as guarantor for hissubscribers. The operator can do so because he has access to theinformation given by his subscribers when a subscription is taken out.The operator is therefore capable of refusing transactions according tocertain criteria, for example if the amount is too great, or if it isimpossible to identify the subscriber (for example in the case of theuse of an anonymous prepaid card). The operator therefore has totalvisibility with respect to the transactions performed on his network.This also constitutes a guarantee for the providers.

The payments corresponding to the transactions may be made by theoperator who can then pass them on to the subscriber's invoice.

In one variant of the invention, there is provision for an encipheringof messages exchanged between the terminal and servers. This encipheringis either intrinsic to the protocols used, or implemented by theterminal and the servers. This enciphering provides an additionalassurance of confidentiality.

In one variant, the items of information registered in the table 118 areenciphered, especially the row 118B. In this case the deciphering key,or storage key, is known only to the elements of the server 113 thathave used these items of information, for example the independentcircuit.

In one variant of the invention, the transaction T is transmitted to theuser by the provider in the form of a proposal. This proposal is thensigned by the provider. This proposal goes through the operator. Theoperator is then in charge of verifying the validity of the signature ofthe proposal. If this signature is valid, then the operator forwards theproposal to the user. The reception and the consultation of thisproposal then correspond to the step 201. The user receiving such aproposal is then assured of its validity because this validity isguaranteed by the operator.

1. electronic signature method, characterized by the fact that itcomprises the following steps: information is edited (201) on a terminalof the user, this information pertaining to the nature of a transactionT between the user and a provider, a signature of the transaction T isproduced (203) at the terminal to authenticate the transaction T and theauthor of the transaction T, on the terminal, there is produced a firstmessage comprising the information relative to the nature of thetransaction T and its signature, said signature being produced by theimplementation of a symmetrical algorithm, the first message is sent(204), from the terminal to the server of a telecommunications operator,the first message is received (205) on the server of thetelecommunications operator, the user of the terminal is identified onthe server, the validity of the signature is verified (206), on theserver, a second transaction, comprising the transaction T, thesignature of the user of the terminal and information on the identity ofthe user of the terminal, is produced (207) on the server, a signaturecorresponding to the second transaction is produced (209), thissignature being called the operator's countersignature, saidcountersignature being produced by the implementation of an algorithmcalled an asymmetrical algorithm, a second message, comprising thesecond transaction and its countersignature by the operator, is sent(210) from the server to the provider who is party to the transaction T.2. Method according to claim 1, characterized by the fact that a dualkey used (209) for the computation of the countersignature is the oneattached to the operator.
 3. Method according to claim 1, characterizedby the fact that the signature of the transaction T is produced by usingan enciphering algorithm initialized by a signature key proper to theuser of the terminal.
 4. Method according to claim 1, characterized bythe fact that the second message and the countersignature are sent via ashort message.
 5. Method according to claim 1, characterized by the factthat the pieces of information on the user's identity are a link to acertificate, preferably according to the X509 standard, delivered by acertification authority.
 6. Method according to claim 1, characterizedby the fact that the second message furthermore comprises a transactionidentifier.
 7. Method according to claim 1, characterized by the factthat the countersignature is made by the use of the dual key and theX509 certificate of the subscriber who is a party to the transaction T,hosted by the operator.
 8. Method according to claim 1, characterized bythe fact that the countersignature is made by use of a particular dualkey, hosted by the operator, and for which several X509 subscribercertificates have been generated, these certificates being all unique intheir serial number.
 9. Method according to claim 1, characterized bythe fact that the operator analyzes the signature of the transactionsigned by the provider and sent by the provider before it is sent to thesubscriber, this verification enabling the subscriber to guarantee thevalidity of the transaction before signature.